In 2023, healthcare organizations face an impossible paradox. On the one hand, they have no choice but to rely on third-party vendors––the ongoing digitization of healthcare would be impossible without them. On the other hand, many vendors have shown themselves to be highly vulnerable to attack, with ransomware and other breaches drastically impacting the ability of some health organizations to function effectively, affecting patient outcomes, causing regulatory compliance issues, and spawning class action lawsuits because of lost or stolen data.
The problem is worse than you might realize. No industry is immune to harm from cyberattacks, but healthcare has been hit particularly hard: according to a recent report from the Identity Theft Research Center, no other industry has experienced as many breach events in the last two years.
For this very reason, healthcare vendor risk management programs have taken on a new importance in recent years. While long-established in fields like finance, these kinds of technologies (like vendor risk management (VRM) technology, workflow automation, and vendor assessment clearinghouses and exchanges) are a relatively new phenomenon in the healthcare field. Below, we've assembled a quick guide to how VRM technology works and why it's quickly gaining traction in the healthcare field.
What is VRM, and how does it work?
Back when sensitive patient information was stored in physical files, healthcare organizations only had to worry about the (rare) physical break-in. Today––when third-party vendors store or manage infinite reams of Protected Health Information (PHI), have highly privileged access into your networks and systems, or attach proprietary technologies to your network––the range of potential threats has increased exponentially.
This is why vendor risk management (VRM) is so important. It can take a wide variety of forms, but some of its most essential technological components include making sure assessment data (and supporting evidence) is exchanged efficiently (for instance, through automated vendor questionnaire technology); automated risk scoring, vendor tiering, and decision support; risk findings tracking and remediation capabilities (e.g. risk registers); workflow automation; and reporting and data visualization.
Of course, a high-performing VRM program involves a number of important factors beyond the technology itself. Vendor inventories need to be continually updated and tiered based on criticality, impact, and compliance exposure. Vendors who require remediation need to be prioritized, and that remediation activity needs to be tracked over time. Key performance indicators (KPIs), key risk indicators (KRIs), and service-level agreements (SLA) need to be vigorously and continually tracked. And––because the worst-case scenario can't always be kept at bay, even with a quality VRM program in place––relevant parties need to prepare and practice communication plans to customers should a supply chain incident ever occur.
Working with third-party vendors to affect remediation
So you've got a VRM program in place and you've identified a risk in one of your vendors. What happens next?
The process, unfortunately, is not automatic. Organizations that spot a risk must work on their own to drive the third-party vendor to remediate the issue in question. This is, of course, as important (if not more important) than identifying the risk in the first place––because a risk identified but not remediated is not of much value to anyone.
The name of the game here is prioritization. The National Institute of Standards in Technology's 800-53 cybersecurity standard and compliance framework has hundreds of controls––it might not be reasonable to expect high maturity ratings in every single one. Instead, it might be worth focusing in on a subset of critical controls––for instance, a vendor's vulnerability management program, or its incident response plans.
It's important, as well, to make sure there is a support model and communication plan in place: this should ideally be a bi-directional process, with expectations properly set on both sides around timeframe, escalation points, etc.
The legal side of VRM programs
Failure to implement a quality VRM program and to work on remediation with third-party vendors opens healthcare organizations to intolerable quantities of risk. The primary risk, of course, is to patient data and security, but the secondary risks are painful as well––non-compliance with the various regulatory standards around VRM can lead to a tremendous amount of legal risk.
There are a few practical steps related to VRM programs that organizations can take to reduce their degree of legal exposure. These include updating contracts with vendors to include security requirements and remediation expectations, defining specific Service Level Agreements (SLAs) and including them in contracts, and defining breach notification requirements as well as communication expectations for breach events.
To ensure that the ramifications from these various risks are controlled and avoided, it’s important to choose a trusted VRM program. Solutions like CORL have been battle-tested, having managed third-party risk for hundreds of healthcare organizations and assessed over 80,000 healthcare vendors and their security posture, so the effectiveness of their technology and methodology is proven.
Thorough VRM isn’t easy––nothing in healthcare ever is. But if patients are to be assured that their information is safe, healthcare organizations need to work proactively to implement it, enlisting the help of cybersecurity professionals and continually prodding third and fourth-party vendors to effect the relevant changes. The digital transformation revolution in healthcare is here; we cannot delude ourselves about the risks in play today. Every healthcare organization needs to understand how its risk profile is now shared across its vendor population. And HDOs and vendors must work collaboratively and proactively to lower those risks together.
About Britton Burton
SENIOR DIRECTOR OF PRODUCT STRATEGY
Britton is a cybersecurity and risk management practitioner with over a decade of experience designing and leading security programs and teams in the healthcare setting. Prior to joining CORL, he served as Director of Risk Management at HCA Healthcare. In that role, Britton was responsible for a from-scratch rebuild of the security risk program that covered the entire portfolio of businesses under the HCA umbrella. He executed against the strategic vision to make risk visible, facilitate well-informed decision making, and drive accountability across the organization by implementing a risk framework, developing operational processes and GRC tools, and using data analytics and BI visualization. Prior to his national role, Britton served as the Director of Information Security in Kansas City for HCAs MidAmerica Division where he led TPRM, risk management, Incident Response, and Disaster Recovery efforts for the division.